Data protection
Protect data from being manipulated or misused.
This control targets both internal and external fraud risks.
Examples
Examples of this control include:
- securing prefilled data on forms so that it cannot be changed
- securing reports as read-only to prevent manipulation
- ensuring that data coded directly into systems cannot be manually altered
- restricting updates to production data by restricting a system’s parameters
- restricting alterations to a system's source code outside a prescribed change management process
- restricting changes to audit logs
- ensuring requirements under the Protective Security Requirements are adhered to
- ensuring that original copies of data are recorded and stored separately.
Risks from control gap
Allowing data within systems or prefilled forms to be manipulated by clients, employees or third parties could allow fraudsters to:
- submit false claims using manipulated information or evidence
- conceal or erase information or evidence
- facilitate fraudulent payments
- update information without authority
- improperly influence decisions using false or manipulated information.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- reviewing procedures or guidance to confirm it clearly specifies how data should be protected from manipulation or misuse
- reviewing controls and policies to see if they conform with the Protective Security Requirements
- confirming protections are in place to prevent data being manipulated or misused
- confirming protections are always applied by employees
- confirming that appropriate protections and classifications are being applied by reviewing a sample of completed data requests
- confirming that data has not been manipulated by doing quantitative analysis, e.g. reconciling audit logs
- confirming that data has not been manipulated by reviewing a sample of data
- confirming that data cannot be manipulated by doing pressure testing or a process walkthrough.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The corrupt
|
The deceiver
|
The enabler
|
The fabricator
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- Understand the wider impacts of public sector fraud, beyond just financial
- Carry out a fraud risk scan to identify potential areas of fraud risk within your organisation
- Find out more about what the Counter Fraud Centre offers public sector organisations to help build their counter fraud capability
- Learn the red flags of mandate fraud, like grooming or manipulation, urgent change requests and emails from unknown senders